SYS::ONLINE
Wasteland.
Briefs1222
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-25089 2026-07-16

CVE-2026-25089: Critical Unauthenticated Command Injection in Fortinet FortiSandbox

"Fortinet FortiSandbox contains a critical (CVSS 9.8) OS command injection flaw that lets unauthenticated attackers run arbitrary commands via crafted HTTP requests, and CISA has confirmed it is being actively exploited."

Fortinet FortiSandbox contains a critical (CVSS 9.8) OS command injection flaw that lets unauthenticated attackers run arbitrary commands via crafted HTTP requests, and CISA has confirmed it is being actively exploited.

What Is It

CVE-2026-25089 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Because the appliance improperly neutralizes special elements in OS commands, an unauthenticated attacker can execute unauthorized commands by sending specifically crafted HTTP requests. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges or user interaction required, with high confidentiality, integrity, and availability impact.

Why It Matters

CISA added CVE-2026-25089 to its Known Exploited Vulnerabilities catalog on 2026-07-16, confirming active exploitation in the wild. CISA's SSVC assessment rates exploitation as "active," automatable as "yes," and technical impact as "total." FortiSandbox is a malware-analysis appliance often positioned deep in security infrastructure, so unauthenticated remote code execution against it is especially serious. Known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

Per NVD, the following versions are affected: - FortiSandbox 5.0.0 through 5.0.5 - FortiSandbox 4.4.0 through 4.4.8 - FortiSandbox 4.2 (all 4.2.x versions, 4.2.1–4.2.8) - FortiSandbox Cloud 5.0.4 through 5.0.5 - FortiSandbox PaaS 5.0.4 through 5.0.5

Patch Status

CISA's required action: apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and CISA's "Forensics Triage Requirements." For cloud services, follow applicable BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26-04 patching guidelines. The CISA action due date is 2026-07-19. Refer to Fortinet advisory FG-IR-26-141 for vendor remediation details.

Sources